Steve Syfuhs

Steve Syfuhs is a security software builder. He has spent the last decade building secure systems and is currently working at Microsoft as a Windows Identity Program Manager in OS Security. He was a Microsoft Developer Security MVP between 2011 - 2018.

Kerberos requires the use of shared secrets to validate tickets. These secrets need to be stored somewhere. Windows stores them in the registry — the Security hive specifically. Other platforms store them in keytab files. Keytab files are useful because they’re a well known construct and are supported by many platforms. What’s interesting about them is that they store the derived value used to encrypt the ticket, and not the real secret. This means you don’t need to worry about how the salt is derived, and can just use the value without having to know how to manipulate the underlying…

It’s been a few months since there’s been any public activity on the project but I’ve quietly been working on cleaning it up and there’s even been a PR from the community (thanks ZhongZhaofeng!). Part of that clean up process has been adding support for AES 128/256 tokens. At first glance you might think it’s fairly trivial to do — just run the encrypted data through an AES transform and you’re good to go — but let me tell you: it’s not that simple. On Securing Shared Secrets There’s primarily one big difference between how RC4 and AES are used in…

These days most developers won’t even consider third party libraries unless they’re available through nuget packages. I say this from experience — I will prefer a nuget’ed library over one where I have to manage the assembly manually. It saddens me a bit when I have to commit binaries to source control. Naturally this great new project of mine should therefore have it’s own nuget package! How do you use it? It’s quite easy; just pop open the Package Manager Console and add it! Package Manager Console Host Version 3.4.4.1321 Type ‘get-help NuGet’ to see all available NuGet commands. PM>…

The last few samples I created for Kerberos.NET were all run from a console application. This served a couple purposes. First, the samples are a lot more portable this way; second, IIS doesn’t get in the way. IIS supports kerberos authentication natively through the Windows Authentication mode. It does this via an ISAPI module that intercepts application response codes and does the negotiate dance on behalf of the application. This means as an application developer I can just say “return 401” and IIS appends a WWW-Authenticate header and processes any responses outside the sights of my application. This isn’t necessarily what…

In my last post I talked about trying out the Kerberos.NET sample project and mentioned that hitting the endpoint from a browser isn’t going to work because Active Directory doesn’t know about the application. Let’s see what we can do to fix this. A Service Principal Name (SPN) is a unique identifier tied to an account in Active Directory. They exist in the form {service}/{identifier}, e.g. HTTP/foo.bar.com. They are used to uniquely identify a service that can receive Kerberos tickets. When a browser is prompted to Negotiate authentication it uses the requesting domain (minus scheme and port) to find an SPN…

I recently committed a couple sample projects to the Kerberos.NET library that shows how you can authenticate a web-based Kerberos ticket. My choice of platform is OWIN middleware because it most closely resembles how things work in ASP.NET Core, without actually going full-core. The key class to look at is KerberosEndToEndMiddleware. It contains the necessary logic to handle detection and prompting for authentication: Keep in mind that this is rudimentary sample. It doesn’t detect or create sessions, so any unauthenticated requests will be prompted to authenticate. You can try the sample by just launching the KerberosMiddlewareEndToEndSample project. It’ll start a console app and begin…

In my last post I talked about how Azure AD does Kerberos Single Sign-On. Conceptually it’s a simple process, but when you dig into the details of the implementation, there are some serious hurdles to overcome. The Active Directory side of things is straightforward — it’s just a matter of manually creating an SPN and keeping the secret in sync. It gets really complicated on the Azure AD side of things though. Consider the history of web-based Kerberos. IIS has supported this for decades by way of an ISAPI HTTP module that parses out the header and hands it off to the…

Microsoft recently released the Azure AD Single Sign On preview feature, which is a way to support Kerberos authentication in to Azure AD. The neat thing about this is that you don’t need ADFS to have an SSO experience if you’ve already got AD infrastructure in place. It works the same way as in-domain authentication, via a Kerberos ticket granting scheme. This is a somewhat confounding feature for anyone who has experience with Kerberos in Windows because every party needs to be domain-joined for Kerberos to work. This doesn’t seem possible in the cloud considering its a) not your box, and b)…

Kate and I bought our first house a few months ago. This likely comes as a shock to us more than anyone else. The house was built in 2002, which means it has the benefit of being built to a more rigorous set of standards and codes than say a house built in 1972 and as such is theoretically safer and more energy efficient. The downside of a house built in 2002 is that it’s on the wrong side of the great technology upgrade divide. Most houses these days are wired with data in mind. The current standard is somewhere…

There is a growing trend where authentication is occurring within browser controls in applications instead of through native UI. In general, this is good because it makes things like federation simpler, and lets you use different forms of authentication without requiring changes to native components. This means any application you build can rely on a single authentication service and support a multitude of credential types without having to do anything in your own native app. Microsoft is all in with this through Azure AD, and through the ADAL (Azure Active Directory Authentication Libraries). Of course, there are problems with that. Paramount…